dbc10182113f2409736789056f3bbf57a58da8c6dac84f0e97dc80d4cd99d948

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
Size

66KB
MD5

25c1c483e96a542aa65e44076e84f723
SHA1

92a7ecb9addfc7824ef487b8e78574f2a0bd800c
SHA256

dbc10182113f2409736789056f3bbf57a58da8c6dac84f0e97dc80d4cd99d948
SHA512

0679b6693a386d0cf16b7a8f8db72163f7cd9672b18bebe9123010a34259ba31fcf1c2e859d74a41f4894a4e31cb7583f11dde0d2d2991e12d207f98d9b4ec73
SSDEEP

1536:SOOs0IhW+HeDMM8QbPM9MR6waK/+6ndsQ3OaI:SOOsRhfHeDr8QbLaKW66wI

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\czsvpu\Parameters\ServiceDll = "%SystemRoot%\\SYSTEM32\\hviymw.dll"	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\czsvpu\Parameters\ServiceDll = "%SystemRoot%\\SYSTEM32\\hviymw.dll"	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\czsvpu\Parameters\ServiceDll = "%SystemRoot%\\SYSTEM32\\hviymw.dll"	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1008	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
5092	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
1008	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\00049abf.sys	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hviymw.dll	25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25c1c483e96a542aa65e44076e84f723_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:5092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k czsvpu
1⤵
- Deletes itself
- Loads dropped DLL
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hviymw.dll

Filesize
90KB

MD5
cd2a1935e3936956002cbf67a790b163

SHA1
6d95d180d716da4171fa7e46651660375363c0ca

SHA256
4b8d433b24335ea84ad8f07cbe4e021dc77454183e5d20166236f833256e975b

SHA512
2ac819c0a279a4604b98b822321b089f2bbfe7148ed103ae3eaea12fcb83a7315d66370591ccfcd6d56706ceb78fdc9bcce1b6f039a3a3abf16b2a9c4ce70308

Download Submit